Amazon_ApiGateway_4

Ensure that all authorization Type in API Gateway are not set to None

Description

When authorization Type is set to None any one with access to the APIGateway network can use it if the gateway is public anyone can use the API

Remediation

From TF:
Set a authorizer to your api Gateway
resource “aws_api_gateway_method” “test” {
rest_api_id = aws_api_gateway_rest_api.this.id
resource_id = aws_api_gateway_resource.this.id
+ http_method = “…” # i.e “GET”, “PUT”, “OPTIONS”: if http_method != “OPTIONS”
+ authorization = “…” #authorization != “NONE”
# OR
+ http_method = “OPTIONS” # if http_method == “OPTIONS”
+ authorization = “NONE” # authorization = “NONE”
authorizer_id = aws_api_gateway_authorizer.this.id
}

References:
1.https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-to-api.html

Service

API Gateway

Severity

High

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!